Configure and Manage Security Groups and Policies in NSX


Create Modify or Delete Security Groups in NSX

Security Groups are very powerful as they allow you group a collection of objects in your vSphere Inventory. Sounds simple, however this collection can be statically defined as an object in inventory, for example a Virtual Machine, Cluster, or Datacenter, or Dynamically defined for example a security tag on a virtual machine, Guest OS Type, or VM name. The groups can also be defined as a combination of static or dynamic; and you can start to see just how powerful a security group is. The Security group alone is not powerful, but once it’s created you can assign security policies, or firewalls rules to these security groups. It’s even possible to integrate third party software that will tag a VM with a security tag if a virus is found and associate that tag with a security group that has all outbound and inbound traffic blocked. It all depends on what you want to accomplish in your environment, but you can definitely see the potential.
Step 1. Navigate to Networking & Security -> Service Composer -> Security Groups tab, then click the Add new Security Group button
Step 2. Define a Name and Description, then click Next
Step 3. Specify Membership criteria. This is where you get to be really creative, and specify members by Computer OS Name, Computer Name, VM Name, Security Tag, or Entity. I wanted both of my Web Servers included, so I used VM Name contains “Web”. You can add multiple membership Criterias, or just use one.
Step 4. Specify any additional Objects to include Objects can be a wide variety of things, so I won’t specify them all, but they can include Security Tag, Resource Pool, vNIC, Logical Switch, Cluster, or much more Click Next
Step 5. Select the Objects to exclude then click Next
Step 6. Click Finish
Step 7. Finally, depending on your criteria, you can confirm how many Security Policies, Guest Introspection Services, Firewall Rules, Network Introspection Services, Virtual Machines are part of the Security Group. In my instance, two Virtual Machines matched my criteria.

Create Modify or Delete Security Groups in NSX

After you have created the security group, the next step is create a security policy. The security policy is a grouping of network and security services, for example, Distributed Firewall Rules, Network introspection services, or Endpoint services. To create a security policy, please follow the steps below.
Step 1. Navigate to the Security Policies tab and click the Create Security Policy button.
Step 2. Specify a Name, Description, and if you want to inherit a previous security policy then click Next. Note: You can also expand the advanced option and specify a weight for the security policy. Higher weightings will have higher precedence.
Step 3. Specify Guest Introspection Services to add to the security policy then click Next. For more information on Guest Introspection Services, please see VMware’s Documentation.
Step 4. Add any Firewall Rules that you would like to associate with the Security Policy then click Next. Note: You can always add firewall rules to the Security Policy at a later time from the Firewall pane.
Step 5. Specify Network Introspection Services to associate with the security policy then click Next. I couldn’t find a whole lot of documentation on Network Introspection Services but examples of these include Palo Alto Firewalls of F5 Big IP.
Step 6. Confirm your settings, then click Finish. I know I really only created a blank shell for the Security Policy but I believe that Guest Introspection and Network Introspection are out of the scope of the VCIX-NV exam and I already covered creating firewall rules here.

Map Security Policies to Security Groups

Next you will want to map the Security Policy you created to the Security Group.
Step 1. Right Click on your Security Policy then select Apply Policy
Step 2. Check the Security Group(s) for which you would like to apply the Security Policy then click OK
That’s it! You have successfully created a Security Group, a Security Policy, and mapped the two together. As mentioned, I think this is one of the most powerful features of NSX so I highly recommend you play around with the Security Groups and Security Policy settings to get a better understanding of all of the different features and options it offers!

1 Comment

  1. Wojciech Janik -  April 27, 2018 - 8:17 am 642

    Given that I applied a security policy to several Security Groups, how can I delete a security group from applied Security Groups?
    Thanks in advance


Leave A Comment

Your email address will not be published. Required fields are marked (required):

Back to Top